ZXSG SVFW-Z virtual FireWall

ZXSG SVFW-Z virtual FireWall

OverviewRapid development of cloud computing and virtualization technologies tremendously

change both data centers and networks. So besides old safety threats, customers todayhave to face lots of new security issues and challenges. In a cloud environment, differenttenants’ virtual resources can be deployed on the same physical asset, which makesmalicious users easy to attack the network via shared resources. Applications like mobilebusiness and BYOD make it possible for terminals at internet to access the resources of theenterprise intranet. The blurring boundary between intranet and internet not only bringscustomers conveniences to process regular business, but also leaves more opportunities forattacks. Problems such as virtual migration and virtual escape urge for new security policies.At the same time, as today’s booming new services are more strongly tied up with safetyrequirements, security issues become more vital and more complicated. Instead of being asimple precaution, the security capability shall be treated as an important service. Securityservice suppliers need to provide users and applications with opener and more flexibleinterfaces,as well as individualized security protection.

Traditional security devices incapable of performing automatic deployment and dynamicscale-in/out required by virtualization can hardly comply with massive requirementsgenerated by new services, for instance, dynamic user creation, on-demand distribution, newidentification methods for new services and new protection ways. Therefore, to process safecloud computing and build reliable virtual networks, virtual firewalls (vFW) deployed on acloud computing/virtual network for safe network communications now becomes a crucialsecurity measure making the network and all sorts of resources safe and reliable.

Based on traditional security architecture, ZXSG SVFW-S enables firewall abstractionand the pooling technology. Featuring elastic expanding and automatic on-demanddeployment, ZXSG SVFW-S (vFW) can be extensively used to protect core networks,medium and large private clouds, and NBIoT networks.

System Architecture

Overview

Virtual Platform

The VM-based vFW runs on universalservers to protect telecom networks.Adaptive to multiple virtual platformsincluding TECS, VMware, KVM and so on,it is not reliant on any private hardware,and allows decoupled hardware andsoftware.

Software architecture

To perform efficient data forwardingand make the system more reliable andsecure, the vFW is designed with aseparate management plane, controlplane and user plane. The managementplane implements management ofperformance, alarms, logs, configurationsand life cycle. The control plane takesresponsibility for protocol processing andgeneration of policy information. The userplane performs packet filtering, packetconversion, packet processing and packet

forwarding as per static configuration ordynamic policy information.

The isolation is performed in thefollowing ways:

Isolation of network planes: Thenetwork is split into a control planenetwork, management plane network anduser plane network.

Isolation of processes/threads: Allthe processes of the control plane,management plane and user plane areindependent. The threads on the userplane are bound to vCPU cores.

Cloud management center

vFW components locate at the cloudmanagement center. During the virtualnetwork orchestration and operation, thevFW components as per different securityprotection scenarios work together withother network element at the cloudmanagement center to provide relatedmanagement services and make vFW lifecycle management proceed.

Operation maintenance andmanagement System

As a universal operation maintenanceand management system, the EMSenables the virtual security device toprovide operation maintenance servicesand visualized display of alarms,performance and logs.

Distributed Deployment Designed with a distributed system,the vFW is composed by one OperatingMain Processor (OMP) and multiplePeripheral Processor units (PP). The OMPand PP can be deployed on the same VMor the different VMs. The vFW supportseither single-VM or multi-VM deploymentand dual-host hot redundancy mode.

As the main processor of the vFW,the OMP manages all the PP units. vFWscale-in/out does not impact the OMP alittle.

The PP of the vFW is responsible forthe inspection, processing, control andprotection of the messages. When theuser quantity or throughput changes, thePP can scale out or scale in according tothe elastic policies.

Features

High Performance/Low Latency

The vFW employs many technologies including SR-IOV, DPDK and separated controland forwarding to improve performance and reduce latency.

SR-IOV

By using the SR-IOV technology to share one PCI device with multiple VMs, the vFWenhances the utilization rate of I/O devices and shortens the network latency. The SR-IOVcan work on GE/10GE/40GE interfaces.

DPDK

The vFW employs the DPDK technology to enable more powerful system processing.Using multi-alignment hardware directly, the DPDK accesses the hardware resources viapolling in user mode, which improves the network I/O throughput capability. Sorting hardwareinto different classifications effectively saves CPU resources. Using Hardware queues forprocessing messages can prevent obstacles caused by software distribution threads.

Separated control and forwarding

The vFW uses different paths to separate control plane services (for example, protocolprocessing and dynamic generation of policy information) and user plane services (forinstance data packet filtering, forwarding and processing), making data forwarding moreefficient.High Reliability

The vFW employs the enhanced VRRP protocol running on the HA path between theactive and standby OMPs to ensure the firewall capable of working in the hot redundantmode. When the system is running, the active and standby OMPs negotiate their workingmode according to the received VRRP messages. When any of the active vFW unit (PP)breaks down, the standby vFW unit will take over its work automatically.As the HA path is anindependent neutron network, it does not affect service networks.

To keep the system reliable and away from data blocking, the vFW implements datasynchronization and backup via multiple HA paths.Easy operation and maintenance

Automatic Deployment: The vFW can be deployed on a universal server automatically.When maintenance engineers finish making the vFW deployment blueprint, the entiredeployment can be done rapidly, flexibly and automatically, which obviously makes the O&Mmuch easier.

Elastic Scale-In/Out: To enable simplified deployment and management, as well asmore efficient resource utilization, the vFW enables user-defined Scale-In/Out policies.

Easy to Integrate: The vFW can be easily integrated to different security protectionscenarios. Related cloud management centers are responsible for the orchestration andmanagement.Rich Security Services

In addition to detect and control multiple sorts of protocol messages, the vFW can alsoprovide rich precaution services, for instance, the ACL-based packet filtering, statusinspection, ASPF, inter-zone policies, DDoS, DPI and carrier-grade security protection.

SpecificationsTo satisfy the requirements of diversified resources, the vFW can be deployed with

varying specs. C4 and C8: Keep the network safe while satisfying operators/enterprise users’ some

resource restrictions. C14: Keep the network safe while satisfying operators/enterprise users’ high-

performance requirements.

The performance of the vFWs in different specs are as shown in the following table.Specs/Types vCPU Memory(GB) Storage (GB)

C14 14 40 40C8 8 32 40C4 4 20 30

Application Scenarios

Core Networks

Locating between the xGW and Internet, the vFW protects the Gi and SGi interfaces,which prevents core network GGSN and PGW from Internet attacks. At the same time, thevFW can also be deployed between the xGW and GRX/IPX networks to make the Gp/S8safe. Under this circumstance, it helps the core network stay away from roaming threats. Allthe upstream and downstream messages of the Gi/SGi and Gp/S8 ports shall be inspectedand controlled by the vFW.

NO. 55, Hi-tech Road South, ShenZhen, P. R. China

Postcode: 518057

Web: www.zte.com.cn

Tel: +86-755-26770000

Fax: +86-755-26771999